Jaideep Padhye | 25 Aug 03:19 2011
Picon

x86_64 cross-compile failing on a i686 32 bit system

Hi,

I came across following issues while trying to cross compile. The native build system is 'i686-pc-linux-gnu'. I'm following the procedure as mentioned on the help page in the website. First I compiled the library for native system with following configuration:
 ../heimdal-1.5/configure  --prefix=$PKG/install --disable-shared --disable-dynamic-afs --disable-otp  --disable-krb4  --disable-ndbm-db  --disable-afs-string-to-key  --disable-heimdal-documentation   CC="/usr/local/gcc-3.0.4/bin/gcc" 

I did a make install and copied the resulting 'compile_et' from the '$PKG/install/bin' to '$PKG/install/libexec/heimdal' directory.  Then, I cross-compiled the library for the host system with the following configuration:

../heimdal-1.5/configure --prefix=$PKG/install --libdir=$PKG/install/lib64 --host=x86_64-unknown-linux-gnu --with-cross-tools=$PKG/install/libexec/heimdal/--enable-pthread-support --disable-static --disable-dynamic-afs --disable-otp --disable-krb4 --disable-ndbm-db --disable-afs-support --disable-afs-string-to-key --with-pic --disable-heimdal-documentation --with-openssl=$THIRDPARTY/openssl-1.0.0a --with-openssl-include=$THIRDPARTY/openssl-1.0.0a/include --with-openssl-lib=$UNICORN_DERIVED/unicorn/lib HOSTCC=/usr/local/gcc-3.0.4/bin/gcc CC=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-gcc CXX=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-g++ CPP=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-cpp AR=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-ar AS=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-as LD=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-ld NM=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-nm RANLIB=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-ranlib STRIP=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-strip OBJDUMP=$CROSSTOOLS/bin/x86_64-unknown-linux-gnu-objdump CPPLAGS=" -nostdinc -I$CROSSTOOLS/include" LDFLAGS="-XCClinker -B$CROSSTOOLS/lib64" LIBS="-lncurses -lstdc++"

On running a make, I got following issues:

Issue # 1:
=======

The build fails with the following error:

Making all in lib
gmake[1]: Entering directory `/home/jdthebigj/Heimdal/x86_64/lib'
Making all in roken
gmake[2]: Entering directory `/home/jdthebigj/Heimdal/x86_64/lib/roken'
perl ../../../heimdal-1.5/cf/roken-h-process.pl \
-c ../../include/config.h  \
-p ../../../heimdal-1.5/lib/roken/roken.h.in -o roken.h
failed parse: (!defined(HAVE_STRERROR_R)
gmake[2]: *** [roken.h] Error 255
gmake[2]: Leaving directory `/home/jdthebigj/Heimdal/x86_64/lib/roken'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/home/jdthebigj/Heimdal/x86_64/lib'
gmake: *** [all-recursive] Error 1
++ exit 1
++ exit 1

There seems to be a bug in the perl script in which the regex fails to parse:  '(!defined(HAVE_STRERROR_R) ' . The problem here seems to be due to the leading ( not being matched. I fixed it by adding one more case as seen in the patch below. 
This resolved the issue but it failed again complaining about the re-declaration of 'strerror_r' . So I tweaked the condition in the input file a little bit as per my understanding and everything went fine.  Please let me know if the fix seems to make sense or will it cause further issues. The fix is as follows:

diff --git a/lib/roken/roken.h.in b/lib/roken/roken.h.in
index a6299ae..ddc3148 100644
--- a/lib/roken/roken.h.in
+++ b/lib/roken/roken.h.in
<at> <at> -538,7 +538,7 <at> <at> ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL getdtablesize(void);
 ROKEN_LIB_FUNCTION char * ROKEN_LIB_CALL strerror(int);
 #endif

-#if (!defined(HAVE_STRERROR_R) && !defined(strerror_r)) || (!defined(STRERROR_R_PROTO_COMPATIBLE) && defined(HAVE_STRERROR_R))
+#if (defined(HAVE_STRERROR_R) && !defined(strerror_r)) || (!defined(STRERROR_R_PROTO_COMPATIBLE) && defined(HAVE_STRERROR_R))
 int ROKEN_LIB_FUNCTION rk_strerror_r(int, char *, size_t);
 #else
 #define rk_strerror_r strerror_r

diff --git a/cf/roken-h-process.pl b/cf/roken-h-process.pl
index a54c921..1cdfcf6 100644
--- a/cf/roken-h-process.pl
+++ b/cf/roken-h-process.pl
<at> <at> -145,6 +145,9 <at> <at> sub parse_if
     if (m/^\s*$/) {
      print "end $_\n" if ($debug);
      return 1;
+    } elsif (m/^\(([^&]+)\&\&(.*)$/) {
+     print "$1 and $2\n" if ($debug);
+     return parse_if($1) and parse_if($2);
     } elsif (m/^([^&]+)\&\&(.*)$/) {
      print "$1 and $2\n" if ($debug);
      return parse_if($1) and parse_if($2);

Issue # 2:
========

On fixing the issue number in the above given way, the build manages to proceed but fails with following:

bin/sh ../../libtool --tag=CC--mode=link /nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/ x86_64-unknown-linux-gnu/bin/x86_64-unknown-linux-gnu-gcc  -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs  -g -O2  -XCClinker -B/nptl/linux-2.6.10/gcc-4.1.1- glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/lib64 -L/home/jdthebigj/ncurses/install/lib64 -o slc slc-gram.o slc-lex.o  libsl.la ../../lib/vers/libvers.la ../../lib/roken/  libroken.la -lcrypt  -lresolv -pthread -lncurses -lstdc++
libtool: link: /nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/bin/  x86_64-unknown-linux-gnu-gcc -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations - Wnested-externs -g -O2 -B/nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/lib64 -o .libs/slc slc-gram.o slc-lex.o -pthread  -L/home/jdthebigj/ncurses/install/lib64 ./.libs/libsl.so -L/crosstool/crosstool-0.43/build/x86_64-unknown-linux-gnu/gcc-4.1.1-glibc-2.3.6-mallocfix/build-gcc/x86_64-unknown-linux-gnu/libstdc++-v3/src -L/crosstool/crosstool-0.43/build/x86_64-unknown-linux-gnu/gcc-4.1.1-glibc-2.3.6-mallocfix/build-gcc/x86_64-unknown-linux-gnu/libstdc++-v3/src/.libs -L/crosstool/crosstool-0.43/build/x86_64-unknown-linux-gnu/gcc-4.1.1-glibc-2.3.6-mallocfix/build-gcc/./gcc -L/nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/bin -L/nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/ x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/lib -L/nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/lib/../x86_64-unknown-linux-gnu/lib -L/nptl/linux-2.6.10/gcc-4.1. 1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/sys-root/lib/../lib64 -L/ nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/sys-root/usr/lib/../lib64 /home/jdthebigj/Heimdal/x86_64/lib/libedit/src/.libs/libheimedit.so ../../lib/vers/.libs/libvers.a ../../lib/roken/.libs/libroken.so -lcrypt -lresolv -lncurses /nptl/linux-2. 6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/lib/../lib64/libstdc++.so -lm -lc -lgcc_s -pthread -Wl,-rpath -Wl,/home/jdthebigj/Heimdal/install/lib64 -Wl,- rpath -Wl,/nptl/linux-2.6.10/gcc-4.1.1-glibc-2.3.6-mallocfix/x86_64-unknown-linux-gnu/x86_64-unknown-linux-gnu/lib/../lib64
 cp ../../../heimdal-1.5/lib/sl/sl.h ../../include/sl.h
gmake[2]: Leaving directory `/home/jdthebigj/Heimdal/x86_64/lib/sl'
Making all in wind
gmake[2]: Entering directory `/home/jdthebigj/Heimdal/x86_64/lib/wind'
../../lib/com_err/compile_et ../../../heimdal-1.5/lib/wind/wind_err.et
../../lib/com_err/compile_et: /home/jdthebigj/Heimdal/x86_64/lib/com_err/.libs/lt-compile_et: No such file or directory
../../lib/com_err/compile_et: /home/jdthebigj/Heimdal/x86_64/lib/com_err/.libs/lt-compile_et: No such file or directory
gmake[2]: *** [wind_err.c] Error 1
gmake[2]: Leaving directory `/home/jdthebigj/Heimdal/x86_64/lib/wind'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/home/jdthebigj/Heimdal/x86_64/lib'
gmake: *** [all-recursive] Error 1
++ exit 1
++ exit 1

The 'lt-compile-et' file is present but it is a 64 bit executable.  The configure script somehow fails to pickup the path for the native 'compile_et' which is given as a value for the switch '--with-cross-tools' .
Is there any way that I can force it to pickup the 32bit 'compile_et' ? I tried to assign it like CC or CXX variables during configure time but it did not work. 

Any help will be appreciated.

Thanks,

Jaideep


jaw171 | 18 Aug 21:19 2011
Picon

Compiling Heimdal 1.4 on RHEL 6.1 x64 fails on bn_mp_exptmod_fast.c

I'm having trouble getting Heimdal to compile on Red Hat Enterprise Linux 6.1
x64.

I got the 1.4 source from h5l.org and ran into problems with missing .h files
which were part of tcl but not in in tcl-devel package from the repos.	I got
those from the source tarball of tcl of the same version but now I'm hitting
another problem:

***snip***
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc  -DHAVE_CONFIG_H -I. -I.
-I../../include -I../../include  -DIMATH_LARGE_PRIME_TABLE -DTFM_CHECK
-DTFM_TIMING_RESISTANT -DBUILD_HCRYPTO_LIB -I../../lib/roken -I../../lib/roken
-I./libtommath -DUSE_HCRYPTO_IMATH=1 -DUSE_HCRYPTO_LTM=1 -I/usr/include/et 
-D_LARGE_FILES= -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
-Wmissing-declarations -Wnested-externs  -I/usr/include/tcl-private/generic -MT
libhcrypto_la-bn_mp_exptmod_fast.lo -MD -MP -MF
.deps/libhcrypto_la-bn_mp_exptmod_fast.Tpo -c -o
libhcrypto_la-bn_mp_exptmod_fast.lo `test -f 'libtommath/bn_mp_exptmod_fast.c'
|| echo './'`libtommath/bn_mp_exptmod_fast.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I. -I../../include -I../../include
-DIMATH_LARGE_PRIME_TABLE -DTFM_CHECK -DTFM_TIMING_RESISTANT
-DBUILD_HCRYPTO_LIB -I../../lib/roken -I../../lib/roken -I./libtommath
-DUSE_HCRYPTO_IMATH=1 -DUSE_HCRYPTO_LTM=1 -I/usr/include/et -D_LARGE_FILES=
-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
-Wmissing-declarations -Wnested-externs -I/usr/include/tcl-private/generic -MT
libhcrypto_la-bn_mp_exptmod_fast.lo -MD -MP -MF
.deps/libhcrypto_la-bn_mp_exptmod_fast.Tpo -c libtommath/bn_mp_exptmod_fast.c 
-fPIC -DPIC -o .libs/libhcrypto_la-bn_mp_exptmod_fast.o
libtommath/bn_mp_exptmod_fast.c:32: warning: no previous prototype for
‘mp_exptmod_fast’
libtommath/bn_mp_exptmod_fast.c: In function ‘mp_exptmod_fast’:
libtommath/bn_mp_exptmod_fast.c:89: warning: implicit declaration of function
‘mp_montgomery_setup’
libtommath/bn_mp_exptmod_fast.c:89: warning: nested extern declaration of
‘mp_montgomery_setup’
libtommath/bn_mp_exptmod_fast.c:101: error: ‘fast_mp_montgomery_reduce’
undeclared (first use in this function)
libtommath/bn_mp_exptmod_fast.c:101: error: (Each undeclared identifier is
reported only once
libtommath/bn_mp_exptmod_fast.c:101: error: for each function it appears in.)
libtommath/bn_mp_exptmod_fast.c:107: error: ‘mp_montgomery_reduce’
undeclared (first use in this function)
libtommath/bn_mp_exptmod_fast.c:116: warning: implicit declaration of function
‘mp_dr_setup’
libtommath/bn_mp_exptmod_fast.c:116: warning: nested extern declaration of
‘mp_dr_setup’
libtommath/bn_mp_exptmod_fast.c:117: error: ‘mp_dr_reduce’ undeclared
(first use in this function)
libtommath/bn_mp_exptmod_fast.c:125: warning: implicit declaration of function
‘mp_reduce_2k_setup’
libtommath/bn_mp_exptmod_fast.c:125: warning: nested extern declaration of
‘mp_reduce_2k_setup’
libtommath/bn_mp_exptmod_fast.c:128: error: ‘mp_reduce_2k’ undeclared
(first use in this function)
libtommath/bn_mp_exptmod_fast.c:150: warning: implicit declaration of function
‘mp_montgomery_calc_normalization’
libtommath/bn_mp_exptmod_fast.c:150: warning: nested extern declaration of
‘mp_montgomery_calc_normalization’
libtommath/bn_mp_exptmod_fast.c:159: warning: implicit declaration of function
‘mp_mulmod’
libtommath/bn_mp_exptmod_fast.c:159: warning: nested extern declaration of
‘mp_mulmod’
make[2]: *** [libhcrypto_la-bn_mp_exptmod_fast.lo] Error 1
make[2]: Leaving directory `/var/tmp/heimdal-1.4/lib/hcrypto'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/heimdal-1.4/lib'
make: *** [all-recursive] Error 1

Here is what I did to get to this part:
Installed tcl-devel.x86_64 and tcl-devel.i686 from the repos
Download the tcl source version 8.5.7:
http://sourceforge.net/projects/tcl/files/Tcl/8.5.7/
Moved ./tcl8.5.7/libtommath/tommath_class.h to /usr/include/tcl-private/generic
Moved ./tcl8.5.7/libtommath/tommath_superclass.h to
/usr/include/tcl-private/generic
export CFLAGS="-I/usr/include/tcl-private/generic"
Config options: --without-ipv6

I also tried compiling and installing tcl from source rather than using the
repos, but that was no help either.  Where do I go from here?

[root <at> afs-dev-01 heimdal-1.4]# ./configure --version
Heimdal configure 1.4
generated by GNU Autoconf 2.65

Copyright (C) 2009 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.1 (Santiago)
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# uname -a
Linux afs-dev-01.cssd.pitt.edu 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20
14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# gcc -v
Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla
--enable-bootstrap --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-gnu-unique-object
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre
--enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib
--with-ppl --with-cloog --with-tune=generic --with-arch_32=i686
--build=x86_64-redhat-linux
Thread model: posix
gcc version 4.4.5 20110214 (Red Hat 4.4.5-6) (GCC) 
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# 
[root <at> afs-dev-01 heimdal-1.4]# rpm -q tcl-devel
tcl-devel-8.5.7-6.el6.i686
tcl-devel-8.5.7-6.el6.x86_64
alf.wachsmann | 16 Aug 07:10 2011
Picon

Heimdal and SAML

Hi,

We would like to allow our Kerberos (Heimdal) principals to use a Web site
that is using SAML (SimpleSAMLphp) for authentication.

It seems that several years ago there was an idea to use Kerberos directly
as a SAML IdP (called KAML) but that seemed to have produced nothing.

SimpleSAMLphp comes with a simple username/password provider and I was
hoping that maybe someone has used that to use Kerberos as the back-end.
I am not looking for anything fancy here (no SPNEGO or such).

I would appreciate any help.

Many thanks,
                    Alf.

_____
HPC Facility Manager
Okinawa Institute of Science and Technology
Tel: +81-98-966-8289
Cell: +81-80-3983-1954
FAX: +81-98-966-2889
Alf.Wachsmann <at> oist.jp
Nico Williams | 14 Aug 03:49 2011

Generalizing krb5_ticket_get_authorization_data_type()?

I notice that there is a very nice function called find_type_in_ad(),
that I'd like to use elsewhere, and which could be used to simplify
some code (e.g., rd_req.c:find_etype_list()).  But... a) it's a
static, b) it doesn't have a way to indicate whether the AD found is
critical or not (i.e., in an AD-IF-RELEVANT).

(krb5_ticket_get_authorization_data_type() has the same problem (b),
and also it only works on Tickets, but I need one that works on
Authenticators too.)

Any objections to a krb5_get_authorization_data_type() that takes...
what exactly?  krb5_auth_context doesn't store the Ticket...  can I
fix that too?  I imagine that we eventually want to free the Ticket,
to lower memory footprint, so maybe not?  Well, I don't need a very
general get-authz-data function yet, so I could just settle for
krb5_get_authenticator_authz_data_type().  Or if you know when it'd be
appropriate to release the Ticket, if we saved it in the auth context,
then I could code that.

Comments?

Nico
--

Harald Barth | 10 Aug 14:47 2011
Picon
Picon

Re: Heimdal in Lion


FYI: Apple has closed ticket numer 8813134 which is the "original"
Bug-ID, the one the ssh bug was marked a duplicate of. As someone else
is the submitter of 8813134, it is not revealed if "closed" means "an
update will be shipped" or "we don't give a s***". To my knowledge
there has not been shipped any update yet, so for the users the bug is
still unsolved (open).

Harald.

Jelmer Vernooij | 4 Aug 03:03 2011
Picon

[PATCH] Remove more krb4 references from automake files.

From: Jelmer Vernooij <jelmer <at> samba.org>

---
 appl/afsutil/Makefile.am    |    3 --
 appl/ftp/common/Makefile.am |    4 +--
 appl/ftp/ftpd/Makefile.am   |    4 +--
 appl/rcp/Makefile.am        |    2 -
 appl/su/Makefile.am         |    2 +-
 cf/crypto.m4                |   52 -------------------------------------------
 kcm/Makefile.am             |    3 +-
 kdc/Makefile.am             |    9 +++----
 lib/gssapi/Makefile.am      |    3 +-
 lib/krb5/Makefile.am        |    2 +-
 lib/libedit/aclocal.m4      |   32 +++++++++++++++++++++-----
 lib/libedit/ltmain.sh       |   40 +++++++++++++++++++--------------
 12 files changed, 59 insertions(+), 97 deletions(-)

diff --git a/appl/afsutil/Makefile.am b/appl/afsutil/Makefile.am
index c0ca0d5..705bdf1 100644
--- a/appl/afsutil/Makefile.am
+++ b/appl/afsutil/Makefile.am
 <at>  <at>  -2,8 +2,6  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_krb4)
-
 bin_PROGRAMS = afslog pagsh

 afslog_SOURCES = afslog.c
 <at>  <at>  -13,7 +11,6  <at>  <at>  pagsh_SOURCES  = pagsh.c
 man_MANS = afslog.1 pagsh.1

 LDADD = $(LIB_kafs) \
-	$(LIB_krb4) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_hcrypto) \
diff --git a/appl/ftp/common/Makefile.am b/appl/ftp/common/Makefile.am
index 1b0ebf2..21a1d6d 100644
--- a/appl/ftp/common/Makefile.am
+++ b/appl/ftp/common/Makefile.am
 <at>  <at>  -2,8 +2,6  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_krb4) 
-
 noinst_LIBRARIES = libcommon.a

 libcommon_a_SOURCES = \
 <at>  <at>  -11,4 +9,4  <at>  <at>  libcommon_a_SOURCES = \
 	buffer.c \
 	common.h

-EXTRA_DIST = NTMakefile
\ No newline at end of file
+EXTRA_DIST = NTMakefile
diff --git a/appl/ftp/ftpd/Makefile.am b/appl/ftp/ftpd/Makefile.am
index 355b8ba..efcff13 100644
--- a/appl/ftp/ftpd/Makefile.am
+++ b/appl/ftp/ftpd/Makefile.am
 <at>  <at>  -2,7 +2,7  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+AM_CPPFLAGS += -I$(srcdir)/../common -DFTP_SERVER

 libexec_PROGRAMS = ftpd

 <at>  <at>  -24,7 +24,6  <at>  <at>  ftpd_SOURCES =		\
 	security.c	\
 	kauth.c		\
 	klist.c		\
-	$(krb4_sources) \
 	$(krb5_sources)

 EXTRA_ftpd_SOURCES = kauth.c gssapi.c gss_userok.c
 <at>  <at>  -47,7 +46,6  <at>  <at>  LDADD = ../common/libcommon.a \
 	$(LIB_gssapi) \
 	$(LIB_krb5) \
 	$(LIB_kafs) \
-	$(LIB_krb4) \
 	$(LIB_hcrypto) \
 	$(LIB_roken)

diff --git a/appl/rcp/Makefile.am b/appl/rcp/Makefile.am
index 39d67be..7bd48ba 100644
--- a/appl/rcp/Makefile.am
+++ b/appl/rcp/Makefile.am
 <at>  <at>  -2,8 +2,6  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_krb4)
-
 bin_PROGRAMS = rcp

 rcp_SOURCES  = rcp.c util.c rcp_locl.h extern.h
diff --git a/appl/su/Makefile.am b/appl/su/Makefile.am
index 892bcaf..0a942ee 100644
--- a/appl/su/Makefile.am
+++ b/appl/su/Makefile.am
 <at>  <at>  -2,7 +2,7  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto)
+AM_CPPFLAGS += $(INCLUDE_hcrypto)

 bin_PROGRAMS = su
 bin_SUIDS = su
diff --git a/cf/crypto.m4 b/cf/crypto.m4
index a29b764..fddbd34 100644
--- a/cf/crypto.m4
+++ b/cf/crypto.m4
 <at>  <at>  -70,52 +70,6  <at>  <at>  AC_MSG_CHECKING([for crypto library])

 openssl=no

-if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then
-	save_CPPFLAGS="$CPPFLAGS"
-	save_LIBS="$LIBS"
-
-	cdirs= clibs=
-	for i in $LIB_krb4; do
-		case "$i" in
-		-L*) cdirs="$cdirs $i";;
-		-l*) clibs="$clibs $i";;
-		esac
-	done
-
-	ires=
-	for i in $INCLUDE_krb4; do
-		CFLAGS="-DHAVE_OPENSSL $i $save_CFLAGS"
-		for j in $cdirs; do
-			for k in $clibs; do
-				LIBS="$j $k $save_LIBS"
-				AC_LINK_IFELSE([AC_LANG_PROGRAM([test_headers],
-						[test_body])],
-					[openssl=yes ires="$i" lres="$j $k"; break 3])
-			done
-		done
-		CFLAGS="$i $save_CFLAGS"
-		for j in $cdirs; do
-			for k in $clibs; do
-				LIBS="$j $k $save_LIBS"
-				AC_LINK_IFELSE([AC_LANG_PROGRAM([test_headers],[test_body])],
-					[openssl=no ires="$i" lres="$j $k"; break 3])
-			done
-		done
-	done
-		
-	CFLAGS="$save_CFLAGS"
-	LIBS="$save_LIBS"
-	if test "$ires" -a "$lres"; then
-		INCLUDE_hcrypto="$ires"
-		LIB_hcrypto="$lres"
-		crypto_lib=krb4
-		AC_MSG_RESULT([same as krb4])
-		LIB_hcrypto_a='$(LIB_hcrypto)'
-		LIB_hcrypto_so='$(LIB_hcrypto)'
-		LIB_hcrypto_appl='$(LIB_hcrypto)'
-	fi
-fi
-
 if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then
 	save_CFLAGS="$CFLAGS"
 	save_LIBS="$LIBS"
 <at>  <at>  -159,12 +113,6  <at>  <at>  if test "$crypto_lib" = "unknown"; then

 fi

-if test "$with_krb4" != no -a "$crypto_lib" != krb4; then
-	AC_MSG_ERROR([the crypto library used by krb4 lacks features
-required by Kerberos 5; to continue, you need to install a newer 
-Kerberos 4 or configure --without-krb4])
-fi
-
 if test "$openssl" = "yes"; then
   AC_DEFINE([HAVE_OPENSSL], 1, [define to use openssl's libcrypto])
 fi
diff --git a/kcm/Makefile.am b/kcm/Makefile.am
index 6829970..e06c4d2 100644
--- a/kcm/Makefile.am
+++ b/kcm/Makefile.am
 <at>  <at>  -2,7 +2,7  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
+AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5

 libexec_PROGRAMS = kcm

 <at>  <at>  -33,7 +33,6  <at>  <at>  man_MANS = kcm.8

 LDADD = $(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_krb4) \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/ntlm/libheimntlm.la \
diff --git a/kdc/Makefile.am b/kdc/Makefile.am
index 5ef3cbe..b206fc4 100644
--- a/kdc/Makefile.am
+++ b/kdc/Makefile.am
 <at>  <at>  -2,7 +2,7  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5
+AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5

 lib_LTLIBRARIES = libkdc.la

 <at>  <at>  -68,7 +68,7  <at>  <at>  $(srcdir)/kdc-private.h:
 hprop_LDADD = \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_kdb) \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 <at>  <at>  -77,7 +77,7  <at>  <at>  hprop_LDADD = \
 hpropd_LDADD = \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_kdb) \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 <at>  <at>  -91,7 +91,7  <at>  <at>  libkdc_la_LIBADD = \
 	$(LIB_pkinit) \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_kdb) \
 	$(top_builddir)/lib/ntlm/libheimntlm.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 <at>  <at>  -100,7 +100,6  <at>  <at>  libkdc_la_LIBADD = \

 LDADD = $(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(LIB_krb4) \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am
index 919799f..bcce45f 100644
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
 <at>  <at>  -13,8 +13,7  <at>  <at>  AM_CPPFLAGS += \
 	-I$(srcdir)/krb5 \
 	-I$(srcdir)/spnego \
 	$(INCLUDE_libintl) \
-	$(INCLUDE_hcrypto) \
-	$(INCLUDE_krb4)
+	$(INCLUDE_hcrypto)

 lib_LTLIBRARIES = libgssapi.la

diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am
index 9429535..ebf773e 100644
--- a/lib/krb5/Makefile.am
+++ b/lib/krb5/Makefile.am
 <at>  <at>  -2,7 +2,7  <at>  <at> 

 include $(top_srcdir)/Makefile.am.common

-AM_CPPFLAGS += $(INCLUDE_krb4) $(INCLUDE_hcrypto) -I../com_err -I$(srcdir)/../com_err
$(INCLUDE_sqlite3) $(INCLUDE_libintl)
+AM_CPPFLAGS += $(INCLUDE_hcrypto) -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl)

 bin_PROGRAMS = verify_krb5_conf

diff --git a/lib/libedit/aclocal.m4 b/lib/libedit/aclocal.m4
index 22f6418..86d2feb 100644
--- a/lib/libedit/aclocal.m4
+++ b/lib/libedit/aclocal.m4
 <at>  <at>  -13,8 +13,8  <at>  <at> 

 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],,
-[m4_warning([this file was generated for autoconf 2.65.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.68],,
+[m4_warning([this file was generated for autoconf 2.68.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
 <at>  <at>  -2476,6 +2476,7  <at>  <at>  gnu*)
   library_names_spec='${libname}${release}${shared_ext}$versuffix
${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
   hardcode_into_libs=yes
   ;;

 <at>  <at>  -2640,6 +2641,18  <at>  <at>  linux* | k*bsd*-gnu | kopensolaris*-gnu)
   dynamic_linker='GNU/Linux ld.so'
   ;;

+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix
${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
 <at>  <at>  -3245,7 +3258,7  <at>  <at>  linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;

-netbsd*)
+netbsd* | netbsdelf*-gnu)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
   else
 <at>  <at>  -4056,7 +4069,7  <at>  <at>  m4_if([$1], [CXX], [
 	    ;;
 	esac
 	;;
-      netbsd*)
+      netbsd* | netbsdelf*-gnu)
 	;;
       *qnx* | *nto*)
         # QNX uses GNU C++, but need to define -shared option too, otherwise
 <at>  <at>  -4514,6 +4527,9  <at>  <at>  m4_if([$1], [CXX], [
       ;;
     esac
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
   *)
     _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED
'\''s/.* //'\'' | sort | uniq > $export_symbols'
     ;;
 <at>  <at>  -4577,6 +4593,9  <at>  <at>  dnl Note also adjust exclude_expsyms for C++ above.
   openbsd*)
     with_gnu_ld=no
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    _LT_TAGVAR(link_all_deplibs, $1)=no
+    ;;
   esac

   _LT_TAGVAR(ld_shlibs, $1)=yes
 <at>  <at>  -4799,7 +4818,7  <at>  <at>  _LT_EOF
       fi
       ;;

-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
 <at>  <at>  -4976,6 +4995,7  <at>  <at>  _LT_EOF
 	if test "$aix_use_runtimelinking" = yes; then
 	  shared_flag="$shared_flag "'${wl}-G'
 	fi
+	_LT_TAGVAR(link_all_deplibs, $1)=no
       else
 	# not using gcc
 	if test "$host_cpu" = ia64; then
 <at>  <at>  -5284,7 +5304,7  <at>  <at>  _LT_EOF
       _LT_TAGVAR(link_all_deplibs, $1)=yes
       ;;

-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	_LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
diff --git a/lib/libedit/ltmain.sh b/lib/libedit/ltmain.sh
index 3061e3c..b4a3231 100755
--- a/lib/libedit/ltmain.sh
+++ b/lib/libedit/ltmain.sh
 <at>  <at>  -69,7 +69,7  <at>  <at> 
 #         compiler:		$LTCC
 #         compiler flags:		$LTCFLAGS
 #         linker:		$LD (gnu? $with_gnu_ld)
-#         $progname:	(GNU libtool) 2.4
+#         $progname:	(GNU libtool) 2.4 Debian-2.4-2ubuntu1
 #         automake:	$automake_version
 #         autoconf:	$autoconf_version
 #
 <at>  <at>  -79,7 +79,7  <at>  <at> 

 PROGRAM=libtool
 PACKAGE=libtool
-VERSION=2.4
+VERSION="2.4 Debian-2.4-2ubuntu1"
 TIMESTAMP=""
 package_revision=1.3293

 <at>  <at>  -136,15 +136,15  <at>  <at>  progpath="$0"

 : ${CP="cp -f"}
 test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
-: ${EGREP="grep -E"}
-: ${FGREP="grep -F"}
-: ${GREP="grep"}
+: ${EGREP="/bin/grep -E"}
+: ${FGREP="/bin/grep -F"}
+: ${GREP="/bin/grep"}
 : ${LN_S="ln -s"}
 : ${MAKE="make"}
 : ${MKDIR="mkdir"}
 : ${MV="mv -f"}
 : ${RM="rm -f"}
-: ${SED="sed"}
+: ${SED="/bin/sed"}
 : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
 : ${Xsed="$SED -e 1s/^X//"}

 <at>  <at>  -6111,7 +6111,10  <at>  <at>  func_mode_link ()
 	case $pass in
 	dlopen) libs="$dlfiles" ;;
 	dlpreopen) libs="$dlprefiles" ;;
-	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	link)
+	  libs="$deplibs %DEPLIBS%"
+	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
+	  ;;
 	esac
       fi
       if test "$linkmode,$pass" = "lib,dlpreopen"; then
 <at>  <at>  -6430,19 +6433,19  <at>  <at>  func_mode_link ()
 	    # It is a libtool convenience library, so add in its objects.
 	    func_append convenience " $ladir/$objdir/$old_library"
 	    func_append old_convenience " $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      if $opt_preserve_dup_deps ; then
+		case "$tmp_libs " in
+		*" $deplib "*) func_append specialdeplibs " $deplib" ;;
+		esac
+	      fi
+	      func_append tmp_libs " $deplib"
+	    done
 	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
 	    func_fatal_error "\`$lib' is not a convenience library"
 	  fi
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    deplibs="$deplib $deplibs"
-	    if $opt_preserve_dup_deps ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
-	      esac
-	    fi
-	    func_append tmp_libs " $deplib"
-	  done
 	  continue
 	fi # $pass = conv

 <at>  <at>  -7334,6 +7337,9  <at>  <at>  func_mode_link ()
 	    revision="$number_minor"
 	    lt_irix_increment=no
 	    ;;
+	  *)
+	    func_fatal_configuration "$modename: unknown library version type \`$version_type'"
+	    ;;
 	  esac
 	  ;;
 	no)
--

-- 
1.7.5.4

Harald Barth | 3 Aug 18:30 2011
Picon
Picon

iprop: Propagating a single create message _again_


As one of my KDC slaves has missed an iprop principal create message I
want to trigger the resending of this iprop message. The iprop log
file on the slaves does _not_ contain the create message, so a log
replay does not help. Modifying the principal does not help as the
modify message does not seem to contain enough to create the principal
on the slave.

If replaying a single old create is not possible, can I force a replay
of _everything_ from the master to the slave? Is there a save way to
do this, preferably with short or no interruption to the KDC itself?

Harald.

Ethan Tira-Thompson | 30 Jul 00:21 2011
Picon

encryption type configuration

Hi, I’ve recently updated to Heimdal 1.4.1apple1 (i.e. Mac OS X Lion), and whenever I try to use kinit I get:
	$ kinit
	kinit: krb5_get_init_creds: KDC has no support for encryption type

My /Library/Preferences/edu.mit.Kerberos contains:
allow_weak_crypto = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc

among other settings
(http://www.cmu.edu/computing/doc/contributed/proj-osx/config/10.4/edu.mit.Kerberos - I
added the allow_weak_crypto)

The weird thing is if I explicitly specify des-cbc-crc on the command line it works fine:
	kinit -e des-cbc-crc #works fine

So why is it only working when I specify encryption type on the command line, and not already reading this
from the config file (it’s getting my default_realm and other server settings from the file, so I know
it's reading it…?)

Thanks,
  -Ethan

Andreas Haupt | 26 Jul 11:35 2011
Picon

PKINIT with Ubuntu 11.04

Hi,

does anyone know how to get PKINIT with globus proxy certificates
working with Heimdal 1.4.99 (packaged with Ubuntu 11.04)? With a
self-compiled 1.2.1 it works on that system:

[znpnb195] ~ % /tmp/heimdal/bin/kinit --version
kinit (Heimdal 1.2.1)
Copyright 1995-2008 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at> h5l.org
[znpnb195] ~ % /tmp/heimdal/bin/kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
[znpnb195] ~ % klist
Credentials cache: FILE:/tmp/tmp.mjlFZuGILM
        Principal: ahaupt <at> NAF.DESY.DE

  Issued           Expires          Principal
Jul 26 11:30:50  Jul 27 12:30:50  krbtgt/NAF.DESY.DE <at> NAF.DESY.DE

With the packaged version I get this error:

[znpnb195] ~ % kinit --version
kinit (Heimdal 1.4.99)
Copyright 1995-2010 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs <at> h5l.org
[znpnb195] ~ % kinit -C FILE:$X509_USER_PROXY -D DIR:$X509_CERT_DIR ahaupt <at> NAF.DESY.DE
kinit: krb5_get_init_creds: Create CMS signedData: RSA private encrypt failed: 569888

Anything that needs to be done additionally now? The client seems to get
stuck already at the initialization - it doesn't even contact the KDC.

Cheers & thanks,
Andreas
--

-- 
| Andreas Haupt            | E-Mail: andreas.haupt <at> desy.de
|  DESY Zeuthen            | WWW: http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee           | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216

Stefan (metze) Metzmacher | 26 Jul 02:18 2011
Picon

Some more patches from lorikeet-heimdal

Hi Love,

what do you think about this patches.

metze
From f9913570f0c424015c4270ace1c4f6a47a3f361f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Sun, 24 Jul 2011 20:55:36 +0200
Subject: [PATCH 1/5] kdc: only pass HDB_F_CANON if the client specified b->kdc_options.canonicalize

metze
---
 kdc/krb5tgs.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index b0d5455..85b0be0 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
 <at>  <at>  -1508,6 +1508,7  <at>  <at>  tgs_build_reply(krb5_context context,

     Key *tkey_check;
     Key *tkey_sign;
+    int flags = 0;

     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
 <at>  <at>  -1517,6 +1518,9  <at>  <at>  tgs_build_reply(krb5_context context,
     s = b->sname;
     r = b->realm;

+    if (b->kdc_options.canonicalize)
+	flags |= HDB_F_CANON;
+
     if(b->kdc_options.enc_tkt_in_skey){
 	Ticket *t;
 	hdb_entry_ex *uu;
 <at>  <at>  -1591,7 +1595,7  <at>  <at>  tgs_build_reply(krb5_context context,
      */

 server_lookup:
-    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
+    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
 			NULL, NULL, &server);

     if(ret == HDB_ERR_NOT_FOUND_HERE) {
 <at>  <at>  -1777,7 +1781,7  <at>  <at>  server_lookup:
 	goto out;
     }

-    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
+    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
 			NULL, &clientdb, &client);
     if(ret == HDB_ERR_NOT_FOUND_HERE) {
 	/* This is OK, we are just trying to find out if they have
 <at>  <at>  -1912,7 +1916,7  <at>  <at>  server_lookup:
 	    if(rspac.data) {
 		krb5_pac p = NULL;
 		krb5_data_free(&rspac);
-		ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | HDB_F_CANON,
+		ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
 				    NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
 		if (ret) {
 		    const char *msg;
-- 
1.7.4.1

From 565aa639ac0fc86ddb54e0b52c624a5c935c54ba Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Mon, 25 Jul 2011 09:36:41 +0200
Subject: [PATCH 2/5] lib/hdb: add HDB_F_FOR_AS_REQ and HDB_F_FOR_TGS_REQ flags

This will be used to indicate to the backend if a fetch is for
an AS REQ or TGS REQ. Samba needs to take some action in the
HDB_F_FOR_TGS_REQ case and always canonicalize the principal
names, even without HDB_F_CANON.

metze
---
 lib/hdb/hdb.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h
index 64b52a3..75d1877 100644
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
 <at>  <at>  -61,6 +61,8  <at>  <at>  enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_LIVE_CLNT_KVNOS	512	/* we want all live keys for pre-auth */
 #define HDB_F_LIVE_SVC_KVNOS	1024	/* we want all live keys for tix */
 #define HDB_F_ALL_KVNOS		2048	/* we want all the keys, live or not */
+#define HDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
+#define HDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */

 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
-- 
1.7.4.1

From 49df5d705708422e93af86aec35b55adfa1fbcfe Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Mon, 25 Jul 2011 09:39:43 +0200
Subject: [PATCH 3/5] kdc: pass down HDB_F_FOR_AS_REQ and HDB_F_FOR_TGS_REQ to the hdb layer

metze
---
 kdc/kerberos5.c |    2 +-
 kdc/krb5tgs.c   |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 4bc1619..c13abb7 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
 <at>  <at>  -978,7 +978,7  <at>  <at>  _kdc_as_rep(krb5_context context,
     krb5_crypto crypto;
     Key *ckey, *skey;
     EncryptionKey *reply_key = NULL, session_key;
-    int flags = 0;
+    int flags = HDB_F_FOR_AS_REQ;
 #ifdef PKINIT
     pk_client_params *pkp = NULL;
 #endif
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 85b0be0..5874717 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
 <at>  <at>  -1508,7 +1508,7  <at>  <at>  tgs_build_reply(krb5_context context,

     Key *tkey_check;
     Key *tkey_sign;
-    int flags = 0;
+    int flags = HDB_F_FOR_TGS_REQ;

     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
-- 
1.7.4.1

From 130d1cbb62c040a7035ffddd66292e015f449e73 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet <at> samba.org>
Date: Tue, 16 Nov 2010 15:05:33 +1100
Subject: [PATCH 4/5] kdc: Build ticket with the canonical server name

We need to use the name that the HDB entry returned, otherwise we
will not canonicalise the reply if requested.

Andrew Bartlett
---
 kdc/krb5tgs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 5874717..c74676c 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
 <at>  <at>  -2208,7 +2208,7  <at>  <at>  server_lookup:
 			 kvno,
 			 *auth_data,
 			 server,
-			 sp,
+			 server->entry.principal,
 			 spn,
 			 client,
 			 cp,
-- 
1.7.4.1

From 58cd08b72e07fd9fc7f8683e3a1b5cab131f0b7c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze <at> samba.org>
Date: Mon, 25 Jul 2011 08:34:13 +0200
Subject: [PATCH 5/5] kuser/kinit: make it possible to use --windows option on its own

metze
---
 kuser/kinit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/kuser/kinit.c b/kuser/kinit.c
index e872fef..0b3876d 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
 <at>  <at>  -434,7 +434,7  <at>  <at>  get_new_tickets(krb5_context context,
 						pac_flag ? TRUE : FALSE);
     if (canonicalize_flag)
 	krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
-    if ((pk_enterprise_flag || enterprise_flag || canonicalize_flag) && windows_flag)
+    if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
 	krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
     if (pk_user_id || ent_user_id || anonymous_flag) {
 	ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
--

-- 
1.7.4.1

Harald Barth | 25 Jul 15:06 2011
Picon
Picon

Re: Heimdal in Lion


The broken ssh in Lion has been assigned Bug ID# 9743343 (amongst
other duplicates). If there is anyone with information on progress on
this, I would be pleased to know. Otherwise I have to prepare a
workaround (in effect shipping a replacement ssh to these users which
want to use our services from OSX Lion), make the support web pages
etc etc. All resulting in more "Kerberos does not work, why are you
using that s***" talk which I really don't need.

Harald.

PS: Since release (5 days) we have 2 uses which have fallen for the
"over 250 new features of OSX Lion" and no longer can log in to our
computers.


Gmane